CVE-2025-14895 - PopupKit <= 2.2.0 - missing authorization to sensitive information disclosure an...

CVE ID : CVE-2025-14895 Published : Feb. 10, 2026, 10:15 a.m. | 32 minutes ago Description : The PopupKit plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.2.0. This is due to the plugin not properly verifying that a user is authorized to access the /popup/logs REST API endpoint. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read and delete analytics data including device types, browser information, countries, referrer URLs, and campaign metrics. Severity: 5.4 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...